-
Notifications
You must be signed in to change notification settings - Fork 873
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Content Security policy for OpenSearch Dashboards #5917
Comments
Hello @gupta-mayank, I believe this is a duplicate of: #5639. @tianleh do you mind verifying if your contribution will be mitigating this issue as well? |
My related change is for mitigating Clickjacking vulnerability, specifically the directive The current issue by @gupta-mayank is about the directives While the infrastructure to be introduced by my issue will help customers specify hot reloading CSP rules, choosing values to use for cc @seraphjiang |
@tianleh the solution for CSP should be supported without additional effort according to your current design which is to set the whole CSP policy that include the iframe related policy as well as other. If yes, it issue should be covered. if not, could you share what's the gap to extend the solution to support this case. |
Yes. From this perspective, the issue is covered. @seraphjiang cc @kavilla |
it's possible to specify CSP settings (for example, |
Today, there are a range of dependencies that block a stricter CSP. See the appendix here: #4306 |
|
@tianleh ,is there a way to turn on the nonce attributes for all the script and style elements that get loaded when the dashboards is initialized on the browser? I see a condition(s) in the minified code that conditionally sets the nonce attribute for the script elements like this: |
checking |
@tianleh , could you please let me know if you had the opportunity to check on this? |
Have been busy with 2.13.0 release recently with code freeze date 3/19/2024. Will check again this week after release. |
See the comment #5917 (comment) why stricter CSP is not supported. |
CSP Policy for OpenSearch Dashboards
We have been using OpenSearch Dashboards as a primary tool to visualize logs for triaging and get other insights from the logs. Of late, we have run some testing on the OpenSearch Dashboards(ver 2.11.1) and found that the value for Content-Security-Policy(CSP) response header has 'unsafe-eval' and 'unsafe-inline' for script-src and style-src directives. This makes it easy to inject malicious code that will not be blocked by the browser (due to 'unsafe-eval' & 'unsafe-inline' in the CSP). This is a major security issue and hence we would like to know if there is a setting that we should apply or a workaround so that the security risk can be mitigated.
We have tried removing the unsafe directives from the CSP header (via our proxy) but the application fails to intialize properly in the browser. We have also explored the possibility of using 'nonce' with 'strict-dynamic' directives but looks like opensearch dashboards does not give any options/configurations to enable this. Removing the CSP header entirely would not be valid solution either as the code still remains vulnerable.
Any suggestions or guidance on this will be really helpful.
More strict CSP as applicable.
Opensearch 2.11.1
OpenSearch Dashboards 2.11.1
The text was updated successfully, but these errors were encountered: